[SECURITY-L] Fwd: [Security-news] Drupal core - Critical - Access bypass - SA-CORE-2019-008
CSIRT Unicamp
security em unicamp.br
Qua Jul 17 14:10:53 -03 2019
View online: https://www.drupal.org/sa-core-2019-008
Project: Drupal core [1]
Date: 2019-July-17
Security risk: *Critical* 17∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
CVE IDs: CVE-2019-6342
Description:
In Drupal 8.7.4, when the experimental [3] Workspaces module is enabled, an
access bypass condition is created.
This can be mitigated by disabling the Workspaces module. It does not affect
any release other than Drupal 8.7.4.
Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are *not*
affected.
Solution:
If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5.
*Note, manual step needed.* For sites with the Workspaces module enabled,
update.php needs to run to ensure a required cache clear. If there is a
reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare)
it
is also advisable to clear these as well.
Reported By:
* Dave Botsch [4]
Fixed By:
* Michael Hess [5] of the Drupal Security Team
* Jess [6] of the Drupal Security Team
* Greg Knaddison [7] of the Drupal Security Team
* Chris McCafferty [8] of the Drupal Security Team
* Neil Drumm [9] of the Drupal Security Team
* Alex Pott [10] of the Drupal Security Team
* Andrei Mateescu [11]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/core/experimental#beta
[4] https://www.drupal.org/user/3534164
[5] https://www.drupal.org/user/102818
[6] https://www.drupal.org/user/65776
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/1850070
[9] https://www.drupal.org/user/3064
[10] https://www.drupal.org/user/157725
[11] https://www.drupal.org/user/729614
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20190717/c2605f56/attachment.html>
Mais detalhes sobre a lista de discussão SECURITY-L